On 12/29/25 03:51, Werner Koch wrote:
Hi!
Jacob was so kind to comment on the reported bugs. I agree with most of
his comments. [...]
Thank you.
[...] At that time I also drafted an article to explain the well known
prblem of hard-to-correct-use of cleartext signatures including a bit of
history: https://gnupg.org/blog/20251226-cleartext-signatures.html
This is also the most important point to me, because cleartext
signatures have their uses, for example, signing a list of file digests,
which is also the use case attacked in item 10.
Is there a safe (but presumably less convenient) way to use cleartext
signatures, perhaps by strictly validating the overall message
structure, or is this basically an unfixable problem? Could GPG perform
such validation steps and emit a warning if a clearsigned message does
not strictly conform?
-- Jacob
